Splunk Search

Splunk rex help: regex for windows and unix path

hbustam8063
New Member

Hi, I am a newbie to SPL. I am trying to write a regex that will extract the unix/windows path from the full_log field. I am having no luck with that. Can you please help? The following regex is for Windows. Thank you for your help.
HB

index="newindx" agent.name="*-svrname-*" "*checksum*" | rex field=full_log "^File\s+(?<checksum_changed>^\'[a-zA-Z]:\\[\\\S|*\S]?.*'$)\s+checksum\s+changed.+"

full_log: File '/apps/data/db.data' checksum changed.
full_log: File 'c:\windows\system32\xpsservices.dll' checksum changed.
0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=full_log "'(?<NewFieldNameHere>[^']+)'"

jpolvino
Builder

Keep it simple!

rex field=full_log "^full_log:\sFile\s'(?<filename>[^']+)'\schecksum changed\."

Rather than trying to guess all legal characters, why not just tell rex "anything but a single quote" ?

This strategy will save you a lot of time, improve readability, and make your extractions much more durable.

See regex: https://regex101.com/r/iz1eYY/1

0 Karma

darrenfuller
Contributor

Here is my attempt...

rex field=full_log "File\s\'(?<pathname>.+[\/\\])[^\\\/]+\'\schecksum\schanged\."

https://regex101.com/r/87ro6z/1

0 Karma

vikcee
Path Finder

@hbustam8063

You can also use this.

...|rex " ( full_log: File\s\')(?<Path>(.*)+)[\/\\]\w+\.\w+'"

and to check your rex :- https://rubular.com/r/M2QDmpGvQr0Yts

richgalloway
SplunkTrust
SplunkTrust

Try ... | rex field=full_log "File '(?<path>.*)[\\\/]\w+\.\w+'". If that doesn't work, you may need more escape characters so try ...| rex field=full_log "File '(?<path>.*)[\\\\\/]\w+\.\w+'".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...